Tag Archive for: journalist

Zero-Click iPhone Exploit Drops Spyware on Exiled Russian Journalist

/in


A report this week about Pegasus spyware showing up on an iPhone belonging to award-winning Russian journalist Galina Timchenko has highlighted again the seemingly myriad ways that government and law enforcement agencies appear to have to deliver the odious surveillance tool on target devices.

Timchenko is an exiled Russian investigative journalist and co-founder of Meduza, a Russian- and English-language news site headquartered in Riga, Latvia. On June 22, Apple sent Timchenko a threat notification that warned her that her device is likely the target of a state-sponsored attack. Apple earlier this year rolled out the spyware threat notifications, which are designed specifically to assist users that the company determines are being individually targeted because of what they do.

Targeted for Spying

Meduza’s technical director reached out to the University of Toronto’s Citizen Lab for help understanding what the alert might have been about. Researchers at Citizen Lab, who have earned a reputation over the years for their ability to conduct investigations into incidents of digital espionage, analyzed forensics artifacts from Timchenko’s phone and quickly determined that someone had installed Pegasus on it in February.

Citizen Lab and Access Now, a nonprofit that advocates for human rights in the digital age, collaborated on the investigation of the incident and released two separate reports on it this week.

“We believe the infection could have lasted from days up to weeks after the initial exploitation,” Citizen Lab said. “The infection was conducted via a zero-click exploit, and forensic traces lead us to assess with moderate confidence that it was achieved via the PWNYOURHOME exploit targeting Apple’s HomeKit and iMessage.” Neither Citizen Lab or Access Now attributed the attack to any specific nation-state actor.

PWNYOURHOME is one of three iOS 15 and iOS 16 zero-click exploits that Citizen Lab previously determined NSO Group’s clients to have used in 2022 to drop Pegasus on target iPhones. The two-phase zero-click exploit first targets the HomeKit smart home functionality built into iPhones, and then uses the iMessage process to essentially breach device protections and enable Pegasus…

Source…

Missouri governor is calling for criminal charges against a journalist who found social security numbers exposed on a public website

/in


missouri gov mike parson

Missouri Gov. Mike Parson Jeff Roberson/AP

  • The governor of Missouri is calling for criminal charges against a reporter who found social security numbers exposed online.

  • The reporter found that the SSNs of over 100,000 teachers were viewable on a government site.

  • Gov. Mike Parson labeled the reporter a “hacker” and demanded an investigation – which cyber experts say makes no sense.

Missouri Gov. Mike Parson is demanding a criminal investigation into a journalist who found social security numbers exposed on a state website – a reaction that cybersecurity experts say makes no sense.

On Wednesday, St. Louis Post-Dispatch reporter Josh Renaud published a story revealing that the state’s education department website exposed the SSNs of over 100,000 employees including teachers and administrators. All Renaud had to do to view the SSNs was open “inspect element” to view the page’s source code, which anyone can do with two clicks of a mouse.

Renaud first disclosed the exposure to the state on Tuesday and waited until the issue was fixed before publishing his story – a well-established best practice in cybersecurity reporting.

But after the story went live, Parson held a press conference Thursday slamming Renaud as a “hacker” and calling on state prosecutors to conduct a criminal investigation into his report.

“We will not let this crime against Missouri teachers go unpunished,” Parson said. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”

Parson’s remarks have been met by widespread bewilderment and outrage from cybersecurity experts, who say Renaud disclosed the exposed data responsibly and that using a web browser’s “inspect element” tool does not constitute hacking.

“Hitting F12 in a browser is not hacking,” SocialProof Security CEO Rachel Tobac said in a tweet. “Fix your website.” Another cybersecurity researcher, Matt Blaze, admonished Parson for moving to “call the cops” on someone who “quite responsibly” disclosed the vulnerability.

A day after Parson’s press conference, Cybersecurity and Infrastructure Security Agency director Jen Easterly tweeted that the…

Source…

Journalist warns Missouri about security breach. He’s threatened with criminal charges. – East Bay Times

/in


JEFFERSON CITY, Mo. (AP) — Gov. Mike Parson on Thursday condemned the St. Louis Post-Dispatch for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off from reporting about the flaw until after the state could fix it.

Parson told reporters outside his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will be conducting an investigation “of all of those involved” and that his administration had spoken to the prosecutor in Cole County.

The governor suggested that the Post-Dispatch journalist who broke the story committed a crime and said the news outlet would be held accountable.

The state’s schools department had earlier referred to the reporter who broke the story as “a hacker.”

The Post-Dispatch broke the news about the security flaw on Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.

It notified the Department of Elementary and Secondary Education and gave it time to fix the problem before the story was published.

After removing the pages from its website Tuesday, the agency issued a news release that called the person who discovered the vulnerability a “hacker” — an apparent reference to the reporter — who “took the records of at least three educators.” The agency didn’t elaborate as to what it meant by “took the records” and it declined to discuss the issue further when reached by The Associated Press.

The Post-Dispatch journalist found that the school workers’ Social Security numbers were in the HTML source code of the pages. It estimated that more than 100,000 Social Security numbers were vulnerable.

Source codes are accessible by right-clicking on public webpages.

The newspaper’s president and publisher, Ian Caso, said in a statement that the Post-Dispatch stands by the story and  journalist Josh Renaud, who he said “did everything right.”

“It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary…

Source…

Missouri governor accuses journalist who warned state about cybersecurity flaw of criminal ‘hacking’

/in


When a St. Louis Post-Dispatch journalist discovered that the Missouri state teachers website allowed anyone to see the Social Security numbers of some 100,000 school employees, he did what any reporter might do. He published a story about the security vulnerability — though not before warning the state and giving it time to remove the affected webpages.



A July 2020 file photo of Missouri Gov. Mike Parson, who called a St. Louis Post-Dispatch reporter a "hacker" after the discovery of a security flaw in a state website.

© Alex Brandon/AP
A July 2020 file photo of Missouri Gov. Mike Parson, who called a St. Louis Post-Dispatch reporter a “hacker” after the discovery of a security flaw in a state website.

Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap. But Missouri Gov. Mike Parson (R) did the opposite: He called the journalist “a hacker” who may face civil or criminal charges for “decod[ing]” HTML code on the Department of Elementary and Secondary Education website and viewing three Social Security numbers.

Loading...

Load Error

The journalist was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson announced Thursday. He said that he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.

The announcement immediately drew appalled reactions from the Post-Dispatch and other journalistic organizations.

“We stand by our reporting and our reporter who did everything right,” Ian Caso, president and publisher of the Post-Dispatch, said in a statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”

Committee to Protect Journalists’ U.S. and Canada program coordinator Katherine Jacobsen called Parson’s legal threats “absurd.”

“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” she told The Washington Post in an email.

A spokeswoman for…

Source…